With the advancements of computer and Internet technology, network applications, such as online shopping and Internet banking, are becoming increasingly popular. However, attacks on Web applications have become a big threat in the past decade. Even if a firewall has a strong set of rules and a server is duly patched all the time, an attacker may walk right into a system through port 80 when Web application developers do not follow secure coding practice. SQL injection and XSS (Cross-site scripting) are two of the most popular types of attacks. Data in a database may be stolen by SQL injection, and even the whole database can be dumped, which may cause a disaster to some applications. Through XSS, secret data of a normal user may be stolen, for example their user identity or session identity.
Most security vulnerabilities of Web applications result from lack of recheck of submitted values by Web server sites. For example, a developer checks user inputs using a script file only at client sites but the user inputs are not rechecked at the server site. In this case, a malicious user may bypass the verification by the script file at the client site through attacking the client site HTML document or directly building a request using a tool. Therefore, inputs by malicious users may lead to SQL or XSS attacks because of lack of recheck by Web server sites.
Presently, a WAF (Web Application Firewall) is one of the approaches to defend against SQL or XSS attacks. A WAF filters malicious requests before an application server. One of the benefits of a WAF is that filtering rules can be updated at runtime without obtaining or modifying source code so that an application needs not to be redeployed when a new vulnerability is found.
To use a WAF, positive and negative security models of form items in a request have to be configured by an administrator. However, most applications have lots of forms with each form having multiple items and positive security models of each item are usually different. Therefore, it is time-consuming to configure positive and/or negative security models for a whole application. Furthermore, the WAF administrator may not be familiar with the application which makes it difficult to give a correct positive security model configuration without false-negative or false-positive issues.
An objective of the present invention is to provide a novel method and system for configuring a rule file for a firewall of a Web server, so as to eliminate security vulnerabilities of Web applications and release or at least reduce the burden of manually configuring positive and/or negative security models of form items.